From Canada to Argentina, Security Researchers Have Rights—Our New Report

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to examine computer systems, and relay their discoveries among their peers and to the wider public.

We started this project because hackers and security researchers have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, hackers are able to improve security for every user who depends on information systems for their daily life and work.

Computer security researchers work, often independently from large public and private institutions, to analyze, explore, and fix the vulnerabilities that are scattered across the digital landscape. While most of this work is conducted unobtrusively as consultants or as employees, sometimes their work is done in the public interest—which gathers researchers headlines and plaudits, but can also attract civil or criminal suits. They can be targeted and threatened with laws intended to prevent malicious intrusion, even when their own work is anything but malicious. The result is that security researchers work in an environment of legal uncertainty, even as their job becomes more vital to the orderly functioning of society.

Drawing on rights recognized by the American Convention on Human Rights, and examples from North and South American jurisprudence, this paper analyzes what rights security researchers have; how those rights are expressed in the Americas’ unique arrangement of human rights instruments, and how we might best interpret the requirements of human rights law—including rights of privacy, free expression, and due process—when applied to the domain of computer security research and its practitioners. In cooperation with technical and legal experts across the continent, we explain that:

Computer programming is expressive activity protected by the American Convention of Human Rights. We explain how free expression lies at the heart of researchers’ creation and use of computer code to examine computer systems and to relay their discoveries among their peers and to the wider public.

Courts and the law should guarantee that the creation, possession or distribution of tools related to cybersecurity are protected by Article 13 of the American Convention of Human Rights, as legitimate acts of free expression, and should not be criminalized or otherwise restricted. These tools are critical to the practice of defensive security and have legitimate, socially desirable uses, such as identifying and testing practical vulnerabilities.

Lawmakers and judges should discourage the use of criminal law as a response to behavior by security researchers which, while technically in violation of a computer crime law, is socially beneficial. Cybercrime laws should include malicious intent and actual damage in its definition of criminal liability.

The “Terms of service” (ToS) of private entities have created inappropriate and dangerous criminal liability among researchers by redefining “unauthorized access” in the United States. In Latin America, under the Legality Principle, ToS provisions cannot be used to meet the vague and ambiguous standards established in criminal provisions (for example, "without authorization"). Criminal liability cannot be based on how private companies would like their services to be used. On the contrary, criminal liability must be based on laws which describe in a precise manner which conduct is forbidden and which is punishable.

Penalties for crimes committed with computers should, at a minimum, be no higher than penalties for analogous crimes committed without computers.

Criminal law punishment provisions should be proportionate to the crime, especially when cybercrimes demonstrate little harmful effects, or are comparable to minor traditional infractions.

Proactive actions that will secure the free flow of information in the security research community are needed.

We’d like to thank EFF Senior Staff Attorney Nate Cardozo, Deputy Executive Director and General Counsel Kurt Opsahl, International Rights Director Katitza Rodríguez, Staff Attorney Jamie Lee Williams, as well as consultant Ramiro Ugarte and Tamir Israel, Staff Attorney at Canadian Internet Policy and Public Interest Clinic at the Centre for Law, Technology and Society at the University of Ottawa, for their assistance in researching and writing this paper.

Related Updates

When is software free? Is it enough that the software be licensed under a free or open license? What about patents? Software as a service? Trade secrets? What about DRM? Is software ever free? There's a saying in the software freedom movement: "if you can't open it, it's not yours....

Have you ever wanted to talk with the Electronic Frontier Foundation about the risks of talking in public about security issues, especially in connected Internet of Things devices? Tomorrow, you'll get your chance. Information security has never been more important: now that everything from a car to a...

Congress has never made a law saying, "Corporations should get to decide who gets to publish truthful information about defects in their products,"— and the First Amendment wouldn't allow such a law — but that hasn't stopped corporations from conjuring one out of thin air, and then defending it as...

Update: Canadian authorities announced on May 7 that they dropped all charges against the teen they had previously accused of unauthorized use of a computer service for downloading public records from a government website. Canadian authorities should drop charges against a 19-year-old Canadian accused of “unauthorized use...

For tech lawyers, one of the hottest questions this year is: can companies use the Computer Fraud and Abuse Act (CFAA)—an imprecise and outdated criminal anti-“hacking” statute intended to target computer break-ins—to block their competitors from accessing publicly available information on their websites? The answer to this question has wide-ranging...

Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail. EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon...

Last weekend’s Cambridge Analytica news—that the company was able to access tens of millions of users’ data by paying low-wage workers on Amazon’s Mechanical Turk to take a Facebook survey, which gave Cambridge Analytica access to Facebook’s dossier on each of those turkers’ Facebook friends—has hammered home two problems: first...

Deputy Attorney General Rod Rosenstein delivered a speech on Tuesday about what he calls “responsible encryption” today. It misses the mark, by far. Rosenstein starts with a fallacy, attempting to convince you that encryption is unprecedented: Our society has never had a system where evidence of criminal wrongdoing...

EFF, joined by Public Knowledge, filed an amicus brief today asking the Court of Appeals for the Federal Circuit to revisit one of its worst decisions ever. Three years ago this month, in Oracle v. Google, the Federal Circuit held that the Java Application Programming...

This year was one of the busiest in recent memory when it comes to cryptography law in the United States and around the world. But for all the Sturm und Drang, surprisingly little actually changed in the U.S. In this post, we’ll run down the list of things that happened...